Network function virtualization (NFV) is a standardization organization founded for a purpose of “virtualizing conventional networks,” and has developed a set of standards for network deployment in a virtualized environment. The standards developed by the NFV organization can implement network virtualization, flexible deployment, and the like.
A virtual network architecture developed by the NFV includes an element management system (EMS), an NFV orchestrator (NFVO), a virtualized network function (VNF) instance, a VNF manager (VNFM), an NFV infrastructure (NFVI), and a virtualized infrastructure manager (VIM) in a VNF framework.
The EMS, which is a conventional network element manager, is configured to manage a VNF instance as a network element, where the VNF instance is obtained by instantiation; the NFVO is configured to orchestrate a VNF; the VNF instance is a virtualized network element that runs a network function; the VNFM is configured to manage the VNF; the NFVI includes virtualized computing resources, virtualized storage resources, virtualized network resources, and the like; the VIM is configured to manage the NFVI according to instructions of the NFVO and the VNFM.
The EMS or the VNFM manages the VNF by establishing a management channel to the VNF. To prevent a malicious user from attacking a network, both parties need to be authenticated when a management channel is established between the EMS or the VNFM and the VNF. Generally, the authentication is performed by using a transport layer security technology (that is, by using a certificate). That is, a certificate is used as a proof of authentication to perform authentication operations on both parties.
However, in a conventional network, manners of acquiring a certificate include but are not limited to the following two manners:
First Manner:
An initial certificate bound to hardware is imported manually or at initial installation of hardware or software, and then a desired certificate is acquired by using the initial certificate and a certificate management protocol.
However, in the NFV standards, a VNF is automatically generated on a VM and is unable to obtain a certificate in the first manner, which leads to poor security of a management channel established between an EMS or a VNFM and the VNF.
Second Manner:
When a network element is generated, a vendor of the network element sets a vendor certificate in the network element. Therefore, when the network element is initially configured, the network element uses a certificate management protocol to apply to a public key system (PKI) of an operator for a certificate issued by the operator. In a process of applying for the certificate, the network element uses the vendor certificate as its identity proof, so that the PKI trusts the network element and issues the operator certificate.
However, in a virtualized environment, a VNF is generated dynamically and is thus unable to apply for a certificate in the second manner, which leads to poor security of a management channel established between an EMS or a VNFM and the VNF.